Security Baseline status does not change after error or conflict fixing

Pavel yannara Mirochnitchenko 12,391 Reputation points MVP
2023-01-13T08:02:15.3566667+00:00

I wonder if this is a bug around baseline status and monitoring, because I have witnessed that after fixing errors and conflicts, new machines green up but old one, are still with error status. Let me clarify;

  1. Pilot machineA recevies default Windows Security Baseline
  2. Conflicts are seeing in Baseline and fixed (conflict settings are removed)
  3. Windows Security baseline (fixed) hits production group.
  4. MachineB in production receives fixed Windows Security Baseline and ends up with green status.
  5. MachineA from pilot group still has error/conflict status.*

MachineA and MachineB has similar configuration, they are standard.

Anyone else witness same behavior?

Microsoft Intune Security
Microsoft Intune Security
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
370 questions
Microsoft Intune Configuration
Microsoft Intune Configuration
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Configuration: The process of arranging or setting up computer systems, hardware, or software.
1,784 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Crystal-MSFT 45,656 Reputation points Microsoft Vendor
    2023-01-16T05:38:30.7666667+00:00

    @Pavel Yannara Mirochnitchenko, Thanks for posting in Q&A. From your description, it seems new machines is working after fixing conflicts. but old machines still show error.

    To troubleshoot our issue, please collect the following information:

    1. What is the specific affected setting? How many settings are affected?
    2. For the old machines, if we try to sync the devices and restart the device, will the result be different?
    3. After we sync policy on device, is there still any related error under event log Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider? existing?

    Please confirm the above information and if there's any update, feel free to let us know.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  2. Pavel yannara Mirochnitchenko 12,391 Reputation points MVP
    2023-01-18T06:55:16.1466667+00:00

    So the solution here is, that if afterward conflict settings are set to not configured, they will actually not change and the status will remain the same. That's why new installed computers will show up green, but old ones are not.

    0 comments
  3. Pavel yannara Mirochnitchenko 12,391 Reputation points MVP
    2023-01-21T22:19:29.43+00:00

    It looks like re-creating all baselines with already known settings might cause conflict and exclude them, fixed the issue on existing computers. It also looks like, that if you just launch windows sec baseline as-is, it will fail because of device lock \ passwords.

    0 comments